Data Protection Notice

The protection of your personal data is important to the BNP Paribas Group, which has adopted strong principles in that respect for the entire Group in its Personal Data Privacy Charter available at group.bnpparibas.

This Data Protection Notice provides you with detailed information relating to the protection of your personal data by Group Communications, one of the Group Functions of BNP Paribas SA (“we”).

We are responsible, as a controller through our various brands , notably e.g. BNP Paribas, Hello Bank, We Are Tennis, We Love Cinéma, Echonet, for collecting and processing your personal data in relation to our activities. The purpose of this Data Protection Notice is to let you know which personal data we collect about you, the reasons why we use and share such data, how long we keep it, what your rights are and how you can exercise them.

Further information may be provided where necessary when you apply for, subscribe or use a specific product or service.

1.WHICH PERSONAL DATA DO WE USE ABOUT YOU?

We collect and use your personal data to the extent necessary in the framework of our activities and to achieve a high standard of personalised products and services.

In certain circumstances, we may collect and use personal data of individuals with whom we have, could have, or used to have a direct relationship, for example, prospects.

For some reasons, we may also collected information about you whereas you have not direct relationship with us. This may happen for instance when your employer provide us with information about you or your contact details are provided by one of our clients if you are for example :

Family members;

Legal representatives (power of attorney);

Company shareholders;

Representatives of a legal entity (which may be a client or a vendor);

Staff of service providers and commercial partners

Journalists

Personal contacts.

3.WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?

a. To comply with our legal and regulatory obligations

We use your personal data to comply with various legal and regulatory obligations, including:

banking and financial regulations in compliance with which we:

set up security measures in order to prevent abuse and fraud;

detect transactions which deviate from the normal patterns; and

record, when necessary, phone calls, chats, email, etc

prevention of money-laundering and financing of terrorism

reply to an official request from a duly authorised public or judicial authority.

b. To perform a contract with you or to take steps at your request before entering into a contract

We use your personal data to enter into and perform our contracts, including to:

provide you with information regarding our products and services;

assist you and answer your requests;

evaluate if we can offer you a product or service and under which conditions; and

provide products or services to our corporate clients of whom you are an employee or a client (for instance: in the context of cash management).

c.To fulfil our legitimate interest

We use your personal data in order to deploy and develop our products or services, to improve our risk management and to defend our legal rights, including:

proof of transactions;

IT management, including infrastructure management (e.g. : shared platforms) & business continuity and IT security;

establishing aggregated statistics, tests and models, for research and development, in order to improve the risk management of our group of companies or in order to improve existing products and services or create new ones;

personalising our offering to you and that of other BNP Paribas entities through:

improving the quality of our banking, financial or insurance products or services;

advertising products or services that match with your situation and profile which we achieve. This can be achieved by :

segmenting our prospects and clients;

analysing your habits and preferences in the various channels (visits to our branches, emails or messages, visits to our website, etc.);

sharing your data with another BNP Paribas entity, notably if you are – or are to become – a client of that other entity;

matching the products or services that you already hold or use with other data we hold about you (e.g. we may identify that you have children but no family protection insurance yet); and

administer a contest, sweepstakes, giveaway, competition, or other similar marketing campaign or offering promotional games and managing events

communicating about our products, services, offers, news, and what we generally do at BNP Paribas or other brands managed by Group Communications

customer service, including responses to your inquiries;

to improve and personalise your experience on our websites and applications;

account maintenance including administering any consumer loyalty or rewards programs that are associated with your account;

to process and ship prize won through your participation to our promotional games.

Your data may be aggregated into anonymized statistics that may be offered to professional clients to assist them in developing their business. In this case your personal data will never be disclosed and those receiving these anonymised statistics will be unable to ascertain your identity.

d. To respect your choice if we requested your consent for a specific processing

In certain cases, we must require your consent to process your data, for example:

where the above purposes lead to automated decision-making, which produces legal effects or which significantly affects you. At that point, we will inform you separately about the logic involved, as well as the significance and the envisaged consequences of such processing;

if we need to carry out further processing for purposes other than those above in section 3, we will inform you and, where necessary, obtain your consent.

for interaction on social networks for the purposes of running contests.

4.WHO DO WE SHARE YOUR PERSONAL DATA WITH?

To fulfill the aforementioned purposes, we only disclose your personal data to:

BNP Paribas Group entities (e.g. you can benefit from our full range of group products and services);

Service providers which perform services on our behalf;

Independent agents, intermediaries or brokers banking and commercial partners, with which we have regular relationship;

Financial or judicial authorities, state agencies or public bodies, upon request and to the extent permitted by law;

Certain regulated professionals such as lawyers, notaries or auditors.

5.TRANSFERS OF PERSONAL DATA OUTSIDE THE EEA

In case of international transfers originating from the European Economic Area (EEA), where the European Commission has recognised a non-EEA country as providing an adequate level of data protection, your personal data may be transferred on this basis.

For transfers to non-EEA countries whose level of protection has not been recognised by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:

Standard contractual clauses approved by the European Commission;

Binding corporate rules

To obtain a copy of these safeguards or details on where they are available, you can send a written request as set out in Section 9.

6. FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will retain your personal data for the longer of the period required in order to comply with applicable laws and regulations or another period with regard to our operational requirements, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests.

At Group Communications, your data will be kept for the duration of our relationship (for example, subscription to a newsletter) and kept for a maximum of 2 years after the end of this relationship. For prospects, information is kept for 2 years.

7.WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?

In accordance with applicable regulations, you have the following rights:

To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.

To rectify: where you consider that your personal data are inaccurate or incomplete, you can require that such personal data be modified accordingly.

To erase: you can require the deletion of your personal data, to the extent permitted by law.

To restrict: you can request the restriction of the processing of your personal data.

To object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.

To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.

To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.

If you wish to exercise the rights listed above, please send a letter to the following address: